A latest assault marketing campaign by considered one of North Korea’s state-run hacking teams makes use of a brand new PowerShell and VBScript-based assault chain that’s initiated from inside LNK information. A number of assault levels are downloaded from authentic cloud companies and the ultimate payload is an open-source distant entry trojan.
“The entire C2 communication is dealt with by authentic companies reminiscent of Dropbox or Google Docs permitting the malware to mix undetected into common community site visitors,” researchers from safety agency Securonix mentioned in a report. “Since these payloads have been pulled from distant sources like Dropbox, it allowed the malware maintainers to dynamically replace its functionalities or deploy extra modules with out direct interplay with the system.”
Kimsuky is a complicated persistent menace (APT) group that has been lively since a minimum of 2012. It is likely one of the a number of cyberespionage and sabotage teams related to the North Korean authorities and is believed to be run by the fifth Bureau — Inter-Korean Affairs of the nation’s overseas intelligence company. Consequently, in comparison with different North Korean teams like Lazarus, APT38, and Andariel (Silent Chollima), Kimsuky primarily targets South Korean organizations and people.
LNK supply mechanism
This was additionally the case within the new marketing campaign analyzed by Securonix which the corporate dubbed DEEP#GOSU. The assault chain started with phishing emails with a South Korean-themed lure that included .zip attachments. The zip archives contained a file with a double extension IMG_20240214_0001.pdf.lnk masquerading as a PDF. The information have been truly Home windows hyperlink (shortcut) information that contained an embedded PowerShell script that launched the multi-staged assault chain.
The LNK file is over 2MB, which is uncommon for a shortcut file, as a result of it has a PDF file appended to itself. The script searches for the precise byte location of the PDF file within the binary, extracts it, launches a brand new object in reminiscence to carry it, after which makes use of the PowerShell Begin-Course of commandlet to execute it. This opens the PDF file within the default PDF viewer on the pc, mimicking the habits the consumer would anticipate.
“What makes this tactic intelligent is that there’s technically no PDF file contained throughout the preliminary zip file despatched to the sufferer,” the researchers mentioned. “When the consumer clicks the PDF lure (shortcut file) they’re instantly introduced with a PDF file, thus eradicating any concern that something sudden occurred.”
PowerShell payloads resulting in RAT
On the similar time, the PowerShell script downloads a second payload referred to as ps.bin from a Dropbox URL, decrypts it utilizing the AESDecrypt operate, after which executes it. That is yet one more PowerShell script that downloads extra payloads from Dropbox. First, it downloads and dynamically masses a number of .NET assemblies that allow the script to make use of superior graphical UI capabilities. These capabilities have been used up to now by malware to take screenshots and report the sufferer’s laptop display screen.
One other downloaded payload is a file referred to as r_enc.bin that could be a variant of an open-source distant entry trojan referred to as TruRat, TutRat, or C# R.A.T., whose agent is often referred to as TutClient.exe. “Presently this specific RAT software program is sort of outdated and more likely to be picked up by most antivirus distributors,” the researchers mentioned. “Nonetheless, given the distinctive technique wherein this binary is loaded and executed immediately into reminiscence (stage2), it’s more likely to skirt some detections.”
Extra particularly, the strategy of loading the malicious code immediately in reminiscence is named “fileless” execution as a result of it doesn’t go away any traces on disk making it harder for conventional file-based antivirus packages to detect it.
The capabilities of this RAT embrace keylogging, distant desktop, spying by the microphone and digicam, distant command immediate execution, course of and file administration, hiding totally different message bins, menus and desktop gadgets, distributed denial-of-service assaults, and stealing data saved within the built-in password managers of a number of browsers.
VBScript comes into play
On the similar time, the PowerShell script from stage 2 invokes a big string encoded in Base64 which seems to be VBScript code. This seems to be another payload supply mechanism as a result of this VBScript code additionally connects to Dropbox and downloads a further payload referred to as info_sc.txt that comprises much more VBScript code.
This new script is sort of complicated and makes use of the Home windows Administration Instrumentation (WMI) API to carry out extra actions, together with gathering details about the working system and creating scheduled duties on the system for persistence. If the OS is older than Home windows 10, the script downloads yet one more payload from a Dropbox URL, however first makes use of Google Docs to find out the payload URL.
The VBScript code then drops a PowerShell script on the system. The script is used for interval communication with a command-and-control mechanism utilizing Dropbox and to load a last script that acts as a strong backdoor with keylogging and clipboard monitoring capabilities. “The malware payloads used within the DEEP#GOSU signify a complicated, multi-stage menace designed to function stealthily on Home windows techniques particularly from a network-monitoring standpoint,” the researchers mentioned. “It relied on each PowerShell and VBScript for its execution which apparently sufficient used very minimal obfuscation. Every stage was encrypted utilizing AES and a typical password and IV which ought to reduce community, or flat file scanning detections.”
Superior Persistent Threats, Cyberattacks
